'Companies, show us your data leaks'

Nieuwesteeg is the director of the EUR-institute Centre for Law and Economics of Cyber Security. If you leave out "Centre for", you have the title of the thesis that got him a doctorate in June 2018. With threats from both state actors and commercial computer hackers, cyber security scores high on the government’s agenda. Policy papers are published constantly. Bernold Nieuwesteeg can read them with his eyes closed: 'The world is digitising rapidly. To maintain our top position we have to overcome threats. This document cites several experts.'

Fear of damaging reputation

With the General Data Protection Regulation (GDPR), companies are required to report each data breach at the Dutch Data Protection Authority (DPA). Losing a USB-stick, laptop theft or hacking are considered breaches. If the breach has negative effects for those involved (think of financial data, IDs or usernames and passwords), it also has to be reported to those people. But that's usually where it ends. Incidents are not announced out in the open, out of fear of damaging reputations. 'Understandable,' says Nieuwesteeg, 'Announcing that you got hacked makes you vulnerable. Yet there is a huge difference between what people fear and the actual consequences. Most people don't really care if a company got hacked or not. Research has shown that there are no long term negative effects.’

Compulsory Emotional training

Still, security officers react with panic after a breach. 'You have a job, kids, a mortgage and suddenly the private data of 100.000 people is out in the open. Next thing you know, they’re spending big time on security audits. But does that help? Penetration tests are snapshots. There are a thousand ways to hack an organisation. Closing one security hole doesn't do much for the other nine-hundred and nine ways. Tests like that give a false sense of security. Nieuwesteeg is in favour of behavioural change. 'Every security officer should be required to do emotional training, because people don't react rationally in situations like that.'

Not just the suckers

According to Nieuwesteeg we should get rid of the idea that only suckers get hacked. 'Research shows that organisations that are properly secured actually report more breaches. One indication of good security is encryption. People that bother to encrypt data also tend to make backups. If such a company should get hacked then nothing is lost. Besides, the alternative – which is concealing breaches – is not an option. Sooner or later things get out in the open and that's when you really have a problem. When internet security company FOXit was hacked, they where completely transparent. It takes courage, but in the end the public appreciates it.

Digital drawer

Nieuwesteeg is al in favour for making breaches public. 'The knowledge we’re getting from the notification requirement isn't being utilised. The AP gathers the notifications, but stacks them in a digital drawer. It's merely a bureaucratic exercise, while it should be a chance to show vulnerabilities, analyse trends and see which security measures have an effect.

Keep reporting

Is the problem of data breaches solvable, or should it – just like the flu – be accepted as a natural phenomenon?  Nieuwesteeg: 'We should keep on reporting breaches. That way we can increase awareness and recognise trends. Investing in security is fine, but we should be critical of the return on investments. You can spend a euro only once, so you want to make sure it's done efficiently.'